How to manually import scan config from cli

Hi,

I’ve installed greenbone-vulnerability-manager ( gvm-20.8.0-14795 ) on Centos 8.2 from atomic repo.
After installation was done I end up without any scan config.
“/usr/sbin/greenbone-feed-sync --type GVMD_DATA” doesn’t fetch anything except timestamp.
But in /var/lib/gvm/data-objects/gvmd/20.08/configs I have followinf xml’s:
base-d21f6c81-2b88-4ac1-b7b4-a2a9f2ad4663.xml
discovery-8715c877-47a0-438d-98a3-27c7a6ab2196.xml
empty-085569ce-73ed-11df-83c3-002264764cea.xml
full-and-fast-daba56c8-73ec-11df-a475-002264764cea.xml
host-discovery-2d3f051c-55ba-11e3-bf43-406186ea4fc5.xml
system-discovery-bbca7412-a950-11e3-9109-406186ea4fc5.xml
policy_euleros_20200909_9f822ad3-9208-4e02-ac03-78dce3ca9a23.xml
policy_gaussdb_20200909_61327f09-8a54-4854-9e1c-16798285fb28.xml
policy-huawei-datacom-aab5c4a1-eab1-4f4e-acac-8c36d08de6bc.xml
policy-it-grundschutz-c4b7c0cb-6502-4809-b034-8e635311b3e6.xml

And when I try to import them via Greenbone Security Assistant I get same error for all:
"Name and base config to copy must be at least one character long.

How can I see if those files are wrong ( thay are here from installation ) or is there any way to import them from cli maybe?
Thanks

and when I try create new scan config, and choose for Base “Base with a minimum set of NVT’s” I get error “Failed to find config d21f6c81-2b88-4ac1-b7b4-a2a9f2ad4663” what is a text from base file name.

Hi, with the 20.08 release these scan configs are provided with the feed and are loaded automatically if gvmd is set up correctly. Please read the release announcement for some more details

Hi, as I wrote in original post, when I start sync for that feed I don’t get anything, just timestamp with original date ( 16. 10. 2020. ) when I installed OpenVas…

/usr/sbin/greenbone-feed-sync --type GVMD_DATA

You did write the files are available at /var/lib/gvm/data-objects/gvmd/20.08/configs already. Therefore the sync has been successful. Most likely your didn’t set the feed import owner.

and I need to set like this:
[gvm@hrygiuapp00005 gvmd]$ gvmd --get-users --verbose
admin 60b48b68-e0af-4fff-9225-221f074d059b
[gvm@hrygiuapp00005 gvmd]$ gvmd --modify-settings d21f6c81-2b88-4ac1-b7b4-a2a9f2ad4663 --value 60b48b68-e0af-4fff-9225-221f074d059b

where d21f6c81-2b88-4ac1-b7b4-a2a9f2ad4663 is number from file base-d21f6c81-2b88-4ac1-b7b4-a2a9f2ad4663.xml ?

Please see the available documentation on this topic.

The 78eceaec-3385-11ea-b237-28d24461215b UID needs to be kept (this is the UID of the related setting, not the UID of a specific scan config).

ok, I changed this.
And now I running all syncs. Will wait till tomorrow and see if everything is ok.

Should I restart something?

Thanks

there is not anything new today. All feeds are up to date except gvmd_data.

I done feed import owner and do the sync of all sync.

Any hints?

This is absolutely fine, see https://community.greenbone.net/t/feeds-are-not-updated-ubuntu20-04-gsa-20-08/7236/2:

In addition the GVM_DATA feed is a special one which gets updates only from time to time if required (could be weeks or even months between updates).

but in Configuration -> Scan Configs there isn’t any scan config. By default there is a filter applied with uuids from before mentioned files but no configs available:

And without filter, no scan configs too!

Never have seen this on a GSE setup if the feed import owner was correctly set. It might be related to the packages / the following issue reported to the maintainer of the atomic packages:

Note that AFAIK gvmd is only able to successfully import the scan configs if it is able to connect to ospd-openvas and if ospd-openvas has a fully build NVT cache.

SecInfo -> NVTs in GSA needs to be filled and up to date, if not check things like https://github.com/greenbone/gvmd/blob/v20.8.0/INSTALL.md#configure-the-default-ospd-scanner-socket-path or the logfiles of gvmd and ospd-openvas.

Also make sure that you’re running the feed sync scripts as the correct user which is running the GVM services so that no issues are originating from wrong permissions on the file system.

SecInfo -> NVTs is empty ( No NVTs available )

in my case there isnt anything in this first folder:
[gvm@hrygiuapp00005 gvmd]$ cd /var/run/ospd/
[gvm@hrygiuapp00005 ospd]$ ls -la
total 0
drwxr-xr-x 2 gvm gvm 40 Oct 19 13:39 .
drwxr-xr-x 29 root root 820 Oct 19 18:01 …

My scanner config is as follows:
[gvm@hrygiuapp00005 ospd]$ gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /var/run/ospd/ospd.sock 0 OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE

So I need to run this ( is it mandatory to put install_prefix if it is nothing?):
gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/var/run/ospd/ospd-openvas.sock

?

This really depends on how the Atomic packages are setting up the location of the socket. Unfortunately i can’t tell you more as i don’t have any knowledge about the packages besides:

  • ospd-openvas needs to be running for the socket to be created
  • the path of the ospd-openvas socket depends on how the Atomic packages are configuring it
  • gvmd needs to be pointing at the correct socket path depending on the configuration of the Atomic packages

If unsure please contact the Atomic package maintainer how the packages have configured this and report any issues related to the setup to https://github.com/Atomicorp/gvm/issues

I found some more errors in logs, it seems that something is wrong with redis ( which is started ):
[root@hrygiuapp00005 gvm]# tail -1 ospd-scanner.log
OSPD[603448] 2020-10-28 09:07:20,844: ERROR: (ospd_openvas.db) Redis Error: Not possible to connect to the kb.
[root@hrygiuapp00005 gvm]# tail -3 openvas.log
lib kb:CRITICAL:2020-10-27 02h24.43 utc:509678: get_redis_ctx: redis connection error to /var/run/redis/redis.sock: No such file or directory
lib kb:CRITICAL:2020-10-28 02h09.19 utc:583746: redis_find: redis connection error to /var/run/redis/redis.sock: No such file or directory
lib kb:CRITICAL:2020-10-28 02h09.19 utc:583746: get_redis_ctx: redis connection error to /var/run/redis/redis.sock: No such file or directory
[root@hrygiuapp00005 gvm]# grep “redis.sock” /etc/redis.conf
unixsocket /var/run/redis/redis.sock
[root@hrygiuapp00005 gvm]# ls -la /var/run/redis/redis.sock
ls: cannot access ‘/var/run/redis/redis.sock’: No such file or directory

Redis isn’t bringing up a socket file.

So what would be the path to resolution?
force redis to bring up socket?
Then change ospd socket?

Bringing up redis and making it accessible at the socket path where openvas / ospd-openvas is expecting it would be the first step. Afterwards check where the Atomic packages are setting up the ospd-openvas socket, might be possible that no ospd socket change is required if they are using the default path.

redis lissened on /tmp/redis.sock. I restarted redis, and it created right sock file.
I rebooted whole machine and now I have scan configs.

I will not change ospd.sock to ospd-openvas.sock for now.

1 Like

it seems that current ospd settup is ok:
[root@hrygiuapp00005 gvm]# ps -ef| grep ospd
gvm 1322 1 12 10:08 ? 00:03:49 /usr/bin/python3.6 /opt/atomicorp/bin/ospd-openvas --pid-file /var/run/ospd/ospd-openvas.pid --unix-socket=/var/run/ospd/ospd.sock --log-file /var/log/gvm/ospd-scanner.log --lock-file-dir /var/run/gvm/
gvm 1324 1322 0 10:08 ? 00:00:01 /usr/bin/python3.6 /opt/atomicorp/bin/ospd-openvas --pid-file /var/run/ospd/ospd-openvas.pid --unix-socket=/var/run/ospd/ospd.sock --log-file /var/log/gvm/ospd-scanner.log --lock-file-dir /var/run/gvm/
root 7570 1379 0 10:39 pts/0 00:00:00 grep --color=auto ospd
[root@hrygiuapp00005 gvm]# ls -la /var/run/ospd
total 4
drwxr-xr-x 2 gvm gvm 80 Oct 28 10:08 .
drwxr-xr-x 29 root root 820 Oct 28 10:08 …
-rw-r–r-- 1 gvm gvm 4 Oct 28 10:08 ospd-openvas.pid
srwx------ 1 gvm gvm 0 Oct 28 10:08 ospd.sock
[root@hrygiuapp00005 gvm]#

Thanks for your help.

1 Like